The Regulation misses several of its targets and does not contribute to a systematic, comprehensive and uniform restart of data protection law in all Member States of the Union. Instead, it leads to a co-regulation and cohabitation of Union law and national law. This creates a number of difficult legal questions on how these fields of law will interact and which law will apply in the future. In the face of these open questions, legal uncertainty arises for both controllers and data subjects.
The opinions etc. of the Article 29 Working Party and the guidelines etc. of the EDPB can make a significant contribution towards increasing legal certainty. They help create and secure a consistent interpretation of Union law. Furthermore, legal certainty could be increased significantly if the ECJ went beyond answering individual questions more frequently and instead took a stand on fundamental issues.
The Member States can confront legal uncertainty by adapting their general and sectoral data protection law to the Regulation or by evolving it. However, instead of going beyond the scope of protection provided by the existing German Federal Data Protection Act, Germany as the first Member State to implement the GDPR has opted to lower the national standard effectively, in some places even below the standard provided by the GDPR. Austrian lawmakers have also passed on the chance to modernise data protection law and left much of the scope for initiative provided by the GDPR unused. It seems that the goal was to merely fulfil minimum requirements of the Regulation instead of setting a higher data protection standard.
A thorough revision of the GDPR and with it of the fundamentals of European data protection is unlikely to occur in the foreseeable future. However, the European Union can regulate sectoral and technologically specific data protection. Good examples are Art. 6 of the eCall Regulation (EU) 2015/758 and the draft of the proposed ePrivacy Regulation. In the latter, the Commission deviated from the technological neutrality of the GDPR and does not apply the general rules of the GDPR, but instead creates riskspecific provisions to regulate the particular technologies of electronic communication. Should the Commission decide to create further sectoral provisions, then that would be a step in the right direction.
However, the Union will only set out to create modern, risk-specific provisions, if the relevant stakeholders put on sufficient pressure. A suitable tool to reach this goal would be exemplary provisions created by the Member States which in particular amend or specify the abstract and incomplete provisions of the GDPR. The Member States should make use of the more than 70 opening clauses that the GDPR contains. In this context, the German Conference of the Independent Data Protection Authorities has called upon the Member States to use the opening clauses for modernising data protection law. Nevertheless, the EDPB in particular should make use of its extensive authority to contribute to both a harmonisation of and an increase in the data protection standard. The Board should work towards a prompt union-wide agreement and understanding particularly with regard to difficult questions and provide solutions to both the Member States and the users on how to create modern and consistent data protection.